Hacking-101.com

In a previous post I touched on the dangers of social engineering. Social engineering is the process by which a hacker builds a rapport with trusted individuals to gain access to restricted systems.

How Serious Is Social Engineering?
Social engineering comes in many shapes and sizes and no company is immune. In larger companies there’s more of a chance that social engineering attempts will go undetected. Smaller companies benefit from a close-knit community of employee’s and a base of customers that tend to be smaller as well.

Larger, more disparate environments may suffer from a non-centralized security staff, a client-base that is spread out with no face-to-face interaction and a disparate management staff with policies that differ from the rest of the company. A lack of common procedures and incident handling procedures minimizes the effectiveness of any Information Technology Policy.

To further complicate things, social engineering is hard to detect. Unless someone from the IT staff is actually contacted, or that users are extremely savvy, most attacks may go unnoticed. Social engineering attacks come in so many different flavors that there’s not really a one-size-fits-all approach to detect and deter these attacks.

Types of Social Engineering Attacks
Let’s break this down into two different areas; operational attacks and technical attacks. They overlap a little but they are two separate and distinct entities.

Operational Attacks
Operational attacks are phone calls, emails and maybe even faxes that do two things, build trust and ask for information. A skilled social engineer will take his or her time and not jump to the really difficult questions until they have spent time building a groundwork and rapport with employee’s. Only after they have gathered a significant amount of prepatory information the attacker will ask for more detailed information, or maybe even favors, like a trip to see the datacenter or the server room.

Technical Attacks
Technical attacks require little human interaction. These attacks are really just gaming the system to gather information. Many times these techical attacks will precede an operational attack. An example of a technical attack would be calling the voicemail system of any business and enumerating names, phone numbers and job description.

Next I’ll tell you ways you can protect yourself against these attacks.